4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
26 #include <sys/types.h>
27 #include <sys/param.h>
29 #include <sys/systm.h>
30 #include <sys/sysmacros.h>
31 #include <sys/resource.h>
33 #include <sys/vnode.h>
37 #include <sys/cmn_err.h>
38 #include <sys/errno.h>
39 #include <sys/unistd.h>
41 #include <sys/fs/zfs.h>
42 #include <sys/policy.h>
43 #include <sys/zfs_znode.h>
44 #include <sys/zfs_fuid.h>
45 #include <sys/zfs_acl.h>
46 #include <sys/zfs_dir.h>
47 #include <sys/zfs_vfsops.h>
49 #include <sys/dnode.h>
52 #include <acl/acl_common.h>
54 #define ALLOW ACE_ACCESS_ALLOWED_ACE_TYPE
55 #define DENY ACE_ACCESS_DENIED_ACE_TYPE
56 #define MAX_ACE_TYPE ACE_SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE
57 #define MIN_ACE_TYPE ALLOW
59 #define OWNING_GROUP (ACE_GROUP|ACE_IDENTIFIER_GROUP)
60 #define EVERYONE_ALLOW_MASK (ACE_READ_ACL|ACE_READ_ATTRIBUTES | \
61 ACE_READ_NAMED_ATTRS|ACE_SYNCHRONIZE)
62 #define EVERYONE_DENY_MASK (ACE_WRITE_ACL|ACE_WRITE_OWNER | \
63 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
64 #define OWNER_ALLOW_MASK (ACE_WRITE_ACL | ACE_WRITE_OWNER | \
65 ACE_WRITE_ATTRIBUTES|ACE_WRITE_NAMED_ATTRS)
67 #define ZFS_CHECKED_MASKS (ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_READ_DATA| \
68 ACE_READ_NAMED_ATTRS|ACE_WRITE_DATA|ACE_WRITE_ATTRIBUTES| \
69 ACE_WRITE_NAMED_ATTRS|ACE_APPEND_DATA|ACE_EXECUTE|ACE_WRITE_OWNER| \
70 ACE_WRITE_ACL|ACE_DELETE|ACE_DELETE_CHILD|ACE_SYNCHRONIZE)
72 #define WRITE_MASK_DATA (ACE_WRITE_DATA|ACE_APPEND_DATA|ACE_WRITE_NAMED_ATTRS)
73 #define WRITE_MASK_ATTRS (ACE_WRITE_ACL|ACE_WRITE_OWNER|ACE_WRITE_ATTRIBUTES| \
74 ACE_DELETE|ACE_DELETE_CHILD)
75 #define WRITE_MASK (WRITE_MASK_DATA|WRITE_MASK_ATTRS)
77 #define OGE_CLEAR (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
78 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE)
80 #define OKAY_MASK_BITS (ACE_READ_DATA|ACE_LIST_DIRECTORY|ACE_WRITE_DATA| \
81 ACE_ADD_FILE|ACE_APPEND_DATA|ACE_ADD_SUBDIRECTORY|ACE_EXECUTE)
83 #define ALL_INHERIT (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE | \
84 ACE_NO_PROPAGATE_INHERIT_ACE|ACE_INHERIT_ONLY_ACE|ACE_INHERITED_ACE)
86 #define RESTRICTED_CLEAR (ACE_WRITE_ACL|ACE_WRITE_OWNER)
88 #define V4_ACL_WIDE_FLAGS (ZFS_ACL_AUTO_INHERIT|ZFS_ACL_DEFAULTED|\
91 #define ZFS_ACL_WIDE_FLAGS (V4_ACL_WIDE_FLAGS|ZFS_ACL_TRIVIAL|ZFS_INHERIT_ACE|\
94 #define ALL_MODE_EXECS (S_IXUSR | S_IXGRP | S_IXOTH)
97 zfs_ace_v0_get_type(void *acep)
99 return (((zfs_oldace_t *)acep)->z_type);
103 zfs_ace_v0_get_flags(void *acep)
105 return (((zfs_oldace_t *)acep)->z_flags);
109 zfs_ace_v0_get_mask(void *acep)
111 return (((zfs_oldace_t *)acep)->z_access_mask);
115 zfs_ace_v0_get_who(void *acep)
117 return (((zfs_oldace_t *)acep)->z_fuid);
121 zfs_ace_v0_set_type(void *acep, uint16_t type)
123 ((zfs_oldace_t *)acep)->z_type = type;
127 zfs_ace_v0_set_flags(void *acep, uint16_t flags)
129 ((zfs_oldace_t *)acep)->z_flags = flags;
133 zfs_ace_v0_set_mask(void *acep, uint32_t mask)
135 ((zfs_oldace_t *)acep)->z_access_mask = mask;
139 zfs_ace_v0_set_who(void *acep, uint64_t who)
141 ((zfs_oldace_t *)acep)->z_fuid = who;
146 zfs_ace_v0_size(void *acep)
148 return (sizeof (zfs_oldace_t));
152 zfs_ace_v0_abstract_size(void)
154 return (sizeof (zfs_oldace_t));
158 zfs_ace_v0_mask_off(void)
160 return (offsetof(zfs_oldace_t, z_access_mask));
165 zfs_ace_v0_data(void *acep, void **datap)
171 static acl_ops_t zfs_acl_v0_ops = {
174 zfs_ace_v0_get_flags,
175 zfs_ace_v0_set_flags,
181 zfs_ace_v0_abstract_size,
187 zfs_ace_fuid_get_type(void *acep)
189 return (((zfs_ace_hdr_t *)acep)->z_type);
193 zfs_ace_fuid_get_flags(void *acep)
195 return (((zfs_ace_hdr_t *)acep)->z_flags);
199 zfs_ace_fuid_get_mask(void *acep)
201 return (((zfs_ace_hdr_t *)acep)->z_access_mask);
205 zfs_ace_fuid_get_who(void *args)
208 zfs_ace_t *acep = args;
210 entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS;
212 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP ||
213 entry_type == ACE_EVERYONE)
215 return (((zfs_ace_t *)acep)->z_fuid);
219 zfs_ace_fuid_set_type(void *acep, uint16_t type)
221 ((zfs_ace_hdr_t *)acep)->z_type = type;
225 zfs_ace_fuid_set_flags(void *acep, uint16_t flags)
227 ((zfs_ace_hdr_t *)acep)->z_flags = flags;
231 zfs_ace_fuid_set_mask(void *acep, uint32_t mask)
233 ((zfs_ace_hdr_t *)acep)->z_access_mask = mask;
237 zfs_ace_fuid_set_who(void *arg, uint64_t who)
239 zfs_ace_t *acep = arg;
241 uint16_t entry_type = acep->z_hdr.z_flags & ACE_TYPE_FLAGS;
243 if (entry_type == ACE_OWNER || entry_type == OWNING_GROUP ||
244 entry_type == ACE_EVERYONE)
250 zfs_ace_fuid_size(void *acep)
252 zfs_ace_hdr_t *zacep = acep;
255 switch (zacep->z_type) {
256 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
257 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
258 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
259 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
260 return (sizeof (zfs_object_ace_t));
264 (((zfs_ace_hdr_t *)acep)->z_flags & ACE_TYPE_FLAGS);
265 if (entry_type == ACE_OWNER ||
266 entry_type == OWNING_GROUP ||
267 entry_type == ACE_EVERYONE)
268 return (sizeof (zfs_ace_hdr_t));
271 return (sizeof (zfs_ace_t));
276 zfs_ace_fuid_abstract_size(void)
278 return (sizeof (zfs_ace_hdr_t));
282 zfs_ace_fuid_mask_off(void)
284 return (offsetof(zfs_ace_hdr_t, z_access_mask));
288 zfs_ace_fuid_data(void *acep, void **datap)
290 zfs_ace_t *zacep = acep;
291 zfs_object_ace_t *zobjp;
293 switch (zacep->z_hdr.z_type) {
294 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
295 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
296 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
297 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
299 *datap = (caddr_t)zobjp + sizeof (zfs_ace_t);
300 return (sizeof (zfs_object_ace_t) - sizeof (zfs_ace_t));
307 static acl_ops_t zfs_acl_fuid_ops = {
308 zfs_ace_fuid_get_mask,
309 zfs_ace_fuid_set_mask,
310 zfs_ace_fuid_get_flags,
311 zfs_ace_fuid_set_flags,
312 zfs_ace_fuid_get_type,
313 zfs_ace_fuid_set_type,
314 zfs_ace_fuid_get_who,
315 zfs_ace_fuid_set_who,
317 zfs_ace_fuid_abstract_size,
318 zfs_ace_fuid_mask_off,
323 * The following three functions are provided for compatibility with
324 * older ZPL version in order to determine if the file use to have
325 * an external ACL and what version of ACL previously existed on the
326 * file. Would really be nice to not need this, sigh.
329 zfs_external_acl(znode_t *zp)
331 zfs_acl_phys_t acl_phys;
338 * Need to deal with a potential
339 * race where zfs_sa_upgrade could cause
340 * z_isa_sa to change.
342 * If the lookup fails then the state of z_is_sa should have
346 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zp->z_zfsvfs),
347 &acl_phys, sizeof (acl_phys))) == 0)
348 return (acl_phys.z_acl_extern_obj);
351 * after upgrade the SA_ZPL_ZNODE_ACL should have been
354 VERIFY(zp->z_is_sa && error == ENOENT);
360 * Determine size of ACL in bytes
362 * This is more complicated than it should be since we have to deal
363 * with old external ACLs.
366 zfs_acl_znode_info(znode_t *zp, int *aclsize, int *aclcount,
367 zfs_acl_phys_t *aclphys)
369 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
374 ASSERT(MUTEX_HELD(&zp->z_acl_lock));
376 if ((error = sa_size(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zfsvfs),
380 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_COUNT(zfsvfs),
381 &acl_count, sizeof (acl_count))) != 0)
383 *aclcount = acl_count;
385 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs),
386 aclphys, sizeof (*aclphys))) != 0)
389 if (aclphys->z_acl_version == ZFS_ACL_VERSION_INITIAL) {
390 *aclsize = ZFS_ACL_SIZE(aclphys->z_acl_size);
391 *aclcount = aclphys->z_acl_size;
393 *aclsize = aclphys->z_acl_size;
394 *aclcount = aclphys->z_acl_count;
401 zfs_znode_acl_version(znode_t *zp)
403 zfs_acl_phys_t acl_phys;
406 return (ZFS_ACL_VERSION_FUID);
411 * Need to deal with a potential
412 * race where zfs_sa_upgrade could cause
413 * z_isa_sa to change.
415 * If the lookup fails then the state of z_is_sa should have
418 if ((error = sa_lookup(zp->z_sa_hdl,
419 SA_ZPL_ZNODE_ACL(zp->z_zfsvfs),
420 &acl_phys, sizeof (acl_phys))) == 0)
421 return (acl_phys.z_acl_version);
424 * After upgrade SA_ZPL_ZNODE_ACL should have
427 VERIFY(zp->z_is_sa && error == ENOENT);
428 return (ZFS_ACL_VERSION_FUID);
434 zfs_acl_version(int version)
436 if (version < ZPL_VERSION_FUID)
437 return (ZFS_ACL_VERSION_INITIAL);
439 return (ZFS_ACL_VERSION_FUID);
443 zfs_acl_version_zp(znode_t *zp)
445 return (zfs_acl_version(zp->z_zfsvfs->z_version));
449 zfs_acl_alloc(int vers)
453 aclp = kmem_zalloc(sizeof (zfs_acl_t), KM_SLEEP);
454 list_create(&aclp->z_acl, sizeof (zfs_acl_node_t),
455 offsetof(zfs_acl_node_t, z_next));
456 aclp->z_version = vers;
457 if (vers == ZFS_ACL_VERSION_FUID)
458 aclp->z_ops = zfs_acl_fuid_ops;
460 aclp->z_ops = zfs_acl_v0_ops;
465 zfs_acl_node_alloc(size_t bytes)
467 zfs_acl_node_t *aclnode;
469 aclnode = kmem_zalloc(sizeof (zfs_acl_node_t), KM_SLEEP);
471 aclnode->z_acldata = kmem_alloc(bytes, KM_SLEEP);
472 aclnode->z_allocdata = aclnode->z_acldata;
473 aclnode->z_allocsize = bytes;
474 aclnode->z_size = bytes;
481 zfs_acl_node_free(zfs_acl_node_t *aclnode)
483 if (aclnode->z_allocsize)
484 kmem_free(aclnode->z_allocdata, aclnode->z_allocsize);
485 kmem_free(aclnode, sizeof (zfs_acl_node_t));
489 zfs_acl_release_nodes(zfs_acl_t *aclp)
491 zfs_acl_node_t *aclnode;
493 while (aclnode = list_head(&aclp->z_acl)) {
494 list_remove(&aclp->z_acl, aclnode);
495 zfs_acl_node_free(aclnode);
497 aclp->z_acl_count = 0;
498 aclp->z_acl_bytes = 0;
502 zfs_acl_free(zfs_acl_t *aclp)
504 zfs_acl_release_nodes(aclp);
505 list_destroy(&aclp->z_acl);
506 kmem_free(aclp, sizeof (zfs_acl_t));
510 zfs_acl_valid_ace_type(uint_t type, uint_t flags)
517 case ACE_SYSTEM_AUDIT_ACE_TYPE:
518 case ACE_SYSTEM_ALARM_ACE_TYPE:
519 entry_type = flags & ACE_TYPE_FLAGS;
520 return (entry_type == ACE_OWNER ||
521 entry_type == OWNING_GROUP ||
522 entry_type == ACE_EVERYONE || entry_type == 0 ||
523 entry_type == ACE_IDENTIFIER_GROUP);
525 if (type >= MIN_ACE_TYPE && type <= MAX_ACE_TYPE)
532 zfs_ace_valid(vtype_t obj_type, zfs_acl_t *aclp, uint16_t type, uint16_t iflags)
535 * first check type of entry
538 if (!zfs_acl_valid_ace_type(type, iflags))
542 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
543 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
544 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
545 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
546 if (aclp->z_version < ZFS_ACL_VERSION_FUID)
548 aclp->z_hints |= ZFS_ACL_OBJ_ACE;
552 * next check inheritance level flags
555 if (obj_type == VDIR &&
556 (iflags & (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE)))
557 aclp->z_hints |= ZFS_INHERIT_ACE;
559 if (iflags & (ACE_INHERIT_ONLY_ACE|ACE_NO_PROPAGATE_INHERIT_ACE)) {
560 if ((iflags & (ACE_FILE_INHERIT_ACE|
561 ACE_DIRECTORY_INHERIT_ACE)) == 0) {
570 zfs_acl_next_ace(zfs_acl_t *aclp, void *start, uint64_t *who,
571 uint32_t *access_mask, uint16_t *iflags, uint16_t *type)
573 zfs_acl_node_t *aclnode;
578 aclnode = list_head(&aclp->z_acl);
582 aclp->z_next_ace = aclnode->z_acldata;
583 aclp->z_curr_node = aclnode;
584 aclnode->z_ace_idx = 0;
587 aclnode = aclp->z_curr_node;
592 if (aclnode->z_ace_idx >= aclnode->z_ace_count) {
593 aclnode = list_next(&aclp->z_acl, aclnode);
597 aclp->z_curr_node = aclnode;
598 aclnode->z_ace_idx = 0;
599 aclp->z_next_ace = aclnode->z_acldata;
603 if (aclnode->z_ace_idx < aclnode->z_ace_count) {
604 void *acep = aclp->z_next_ace;
608 * Make sure we don't overstep our bounds
610 ace_size = aclp->z_ops.ace_size(acep);
612 if (((caddr_t)acep + ace_size) >
613 ((caddr_t)aclnode->z_acldata + aclnode->z_size)) {
617 *iflags = aclp->z_ops.ace_flags_get(acep);
618 *type = aclp->z_ops.ace_type_get(acep);
619 *access_mask = aclp->z_ops.ace_mask_get(acep);
620 *who = aclp->z_ops.ace_who_get(acep);
621 aclp->z_next_ace = (caddr_t)aclp->z_next_ace + ace_size;
622 aclnode->z_ace_idx++;
624 return ((void *)acep);
631 zfs_ace_walk(void *datap, uint64_t cookie, int aclcnt,
632 uint16_t *flags, uint16_t *type, uint32_t *mask)
634 zfs_acl_t *aclp = datap;
635 zfs_ace_hdr_t *acep = (zfs_ace_hdr_t *)(uintptr_t)cookie;
638 acep = zfs_acl_next_ace(aclp, acep, &who, mask,
640 return ((uint64_t)(uintptr_t)acep);
643 static zfs_acl_node_t *
644 zfs_acl_curr_node(zfs_acl_t *aclp)
646 ASSERT(aclp->z_curr_node);
647 return (aclp->z_curr_node);
651 * Copy ACE to internal ZFS format.
652 * While processing the ACL each ACE will be validated for correctness.
653 * ACE FUIDs will be created later.
656 zfs_copy_ace_2_fuid(zfsvfs_t *zfsvfs, vtype_t obj_type, zfs_acl_t *aclp,
657 void *datap, zfs_ace_t *z_acl, uint64_t aclcnt, size_t *size,
658 zfs_fuid_info_t **fuidp, cred_t *cr)
662 zfs_ace_t *aceptr = z_acl;
664 zfs_object_ace_t *zobjacep;
665 ace_object_t *aceobjp;
667 for (i = 0; i != aclcnt; i++) {
668 aceptr->z_hdr.z_access_mask = acep->a_access_mask;
669 aceptr->z_hdr.z_flags = acep->a_flags;
670 aceptr->z_hdr.z_type = acep->a_type;
671 entry_type = aceptr->z_hdr.z_flags & ACE_TYPE_FLAGS;
672 if (entry_type != ACE_OWNER && entry_type != OWNING_GROUP &&
673 entry_type != ACE_EVERYONE) {
674 aceptr->z_fuid = zfs_fuid_create(zfsvfs, acep->a_who,
675 cr, (entry_type == 0) ?
676 ZFS_ACE_USER : ZFS_ACE_GROUP, fuidp);
680 * Make sure ACE is valid
682 if (zfs_ace_valid(obj_type, aclp, aceptr->z_hdr.z_type,
683 aceptr->z_hdr.z_flags) != B_TRUE)
686 switch (acep->a_type) {
687 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
688 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
689 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
690 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
691 zobjacep = (zfs_object_ace_t *)aceptr;
692 aceobjp = (ace_object_t *)acep;
694 bcopy(aceobjp->a_obj_type, zobjacep->z_object_type,
695 sizeof (aceobjp->a_obj_type));
696 bcopy(aceobjp->a_inherit_obj_type,
697 zobjacep->z_inherit_type,
698 sizeof (aceobjp->a_inherit_obj_type));
699 acep = (ace_t *)((caddr_t)acep + sizeof (ace_object_t));
702 acep = (ace_t *)((caddr_t)acep + sizeof (ace_t));
705 aceptr = (zfs_ace_t *)((caddr_t)aceptr +
706 aclp->z_ops.ace_size(aceptr));
709 *size = (caddr_t)aceptr - (caddr_t)z_acl;
715 * Copy ZFS ACEs to fixed size ace_t layout
718 zfs_copy_fuid_2_ace(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, cred_t *cr,
719 void *datap, int filter)
722 uint32_t access_mask;
723 uint16_t iflags, type;
724 zfs_ace_hdr_t *zacep = NULL;
726 ace_object_t *objacep;
727 zfs_object_ace_t *zobjacep;
731 while (zacep = zfs_acl_next_ace(aclp, zacep,
732 &who, &access_mask, &iflags, &type)) {
735 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
736 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
737 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
738 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
742 zobjacep = (zfs_object_ace_t *)zacep;
743 objacep = (ace_object_t *)acep;
744 bcopy(zobjacep->z_object_type,
746 sizeof (zobjacep->z_object_type));
747 bcopy(zobjacep->z_inherit_type,
748 objacep->a_inherit_obj_type,
749 sizeof (zobjacep->z_inherit_type));
750 ace_size = sizeof (ace_object_t);
753 ace_size = sizeof (ace_t);
757 entry_type = (iflags & ACE_TYPE_FLAGS);
758 if ((entry_type != ACE_OWNER &&
759 entry_type != OWNING_GROUP &&
760 entry_type != ACE_EVERYONE)) {
761 acep->a_who = zfs_fuid_map_id(zfsvfs, who,
762 cr, (entry_type & ACE_IDENTIFIER_GROUP) ?
763 ZFS_ACE_GROUP : ZFS_ACE_USER);
765 acep->a_who = (uid_t)(int64_t)who;
767 acep->a_access_mask = access_mask;
768 acep->a_flags = iflags;
770 acep = (ace_t *)((caddr_t)acep + ace_size);
775 zfs_copy_ace_2_oldace(vtype_t obj_type, zfs_acl_t *aclp, ace_t *acep,
776 zfs_oldace_t *z_acl, int aclcnt, size_t *size)
779 zfs_oldace_t *aceptr = z_acl;
781 for (i = 0; i != aclcnt; i++, aceptr++) {
782 aceptr->z_access_mask = acep[i].a_access_mask;
783 aceptr->z_type = acep[i].a_type;
784 aceptr->z_flags = acep[i].a_flags;
785 aceptr->z_fuid = acep[i].a_who;
787 * Make sure ACE is valid
789 if (zfs_ace_valid(obj_type, aclp, aceptr->z_type,
790 aceptr->z_flags) != B_TRUE)
793 *size = (caddr_t)aceptr - (caddr_t)z_acl;
798 * convert old ACL format to new
801 zfs_acl_xform(znode_t *zp, zfs_acl_t *aclp, cred_t *cr)
803 zfs_oldace_t *oldaclp;
805 uint16_t type, iflags;
806 uint32_t access_mask;
809 zfs_acl_node_t *newaclnode;
811 ASSERT(aclp->z_version == ZFS_ACL_VERSION_INITIAL);
813 * First create the ACE in a contiguous piece of memory
814 * for zfs_copy_ace_2_fuid().
816 * We only convert an ACL once, so this won't happen
819 oldaclp = kmem_alloc(sizeof (zfs_oldace_t) * aclp->z_acl_count,
822 while (cookie = zfs_acl_next_ace(aclp, cookie, &who,
823 &access_mask, &iflags, &type)) {
824 oldaclp[i].z_flags = iflags;
825 oldaclp[i].z_type = type;
826 oldaclp[i].z_fuid = who;
827 oldaclp[i++].z_access_mask = access_mask;
830 newaclnode = zfs_acl_node_alloc(aclp->z_acl_count *
831 sizeof (zfs_object_ace_t));
832 aclp->z_ops = zfs_acl_fuid_ops;
833 VERIFY(zfs_copy_ace_2_fuid(zp->z_zfsvfs, ZTOV(zp)->v_type, aclp,
834 oldaclp, newaclnode->z_acldata, aclp->z_acl_count,
835 &newaclnode->z_size, NULL, cr) == 0);
836 newaclnode->z_ace_count = aclp->z_acl_count;
837 aclp->z_version = ZFS_ACL_VERSION;
838 kmem_free(oldaclp, aclp->z_acl_count * sizeof (zfs_oldace_t));
841 * Release all previous ACL nodes
844 zfs_acl_release_nodes(aclp);
846 list_insert_head(&aclp->z_acl, newaclnode);
848 aclp->z_acl_bytes = newaclnode->z_size;
849 aclp->z_acl_count = newaclnode->z_ace_count;
854 * Convert unix access mask to v4 access mask
857 zfs_unix_to_v4(uint32_t access_mask)
859 uint32_t new_mask = 0;
861 if (access_mask & S_IXOTH)
862 new_mask |= ACE_EXECUTE;
863 if (access_mask & S_IWOTH)
864 new_mask |= ACE_WRITE_DATA;
865 if (access_mask & S_IROTH)
866 new_mask |= ACE_READ_DATA;
871 zfs_set_ace(zfs_acl_t *aclp, void *acep, uint32_t access_mask,
872 uint16_t access_type, uint64_t fuid, uint16_t entry_type)
874 uint16_t type = entry_type & ACE_TYPE_FLAGS;
876 aclp->z_ops.ace_mask_set(acep, access_mask);
877 aclp->z_ops.ace_type_set(acep, access_type);
878 aclp->z_ops.ace_flags_set(acep, entry_type);
879 if ((type != ACE_OWNER && type != OWNING_GROUP &&
880 type != ACE_EVERYONE))
881 aclp->z_ops.ace_who_set(acep, fuid);
885 * Determine mode of file based on ACL.
886 * Also, create FUIDs for any User/Group ACEs
889 zfs_mode_compute(uint64_t fmode, zfs_acl_t *aclp,
890 uint64_t *pflags, uint64_t fuid, uint64_t fgid)
895 zfs_ace_hdr_t *acep = NULL;
897 uint16_t iflags, type;
898 uint32_t access_mask;
899 boolean_t an_exec_denied = B_FALSE;
901 mode = (fmode & (S_IFMT | S_ISUID | S_ISGID | S_ISVTX));
903 while (acep = zfs_acl_next_ace(aclp, acep, &who,
904 &access_mask, &iflags, &type)) {
906 if (!zfs_acl_valid_ace_type(type, iflags))
909 entry_type = (iflags & ACE_TYPE_FLAGS);
912 * Skip over owner@, group@ or everyone@ inherit only ACEs
914 if ((iflags & ACE_INHERIT_ONLY_ACE) &&
915 (entry_type == ACE_OWNER || entry_type == ACE_EVERYONE ||
916 entry_type == OWNING_GROUP))
919 if (entry_type == ACE_OWNER || (entry_type == 0 &&
921 if ((access_mask & ACE_READ_DATA) &&
922 (!(seen & S_IRUSR))) {
928 if ((access_mask & ACE_WRITE_DATA) &&
929 (!(seen & S_IWUSR))) {
935 if ((access_mask & ACE_EXECUTE) &&
936 (!(seen & S_IXUSR))) {
942 } else if (entry_type == OWNING_GROUP ||
943 (entry_type == ACE_IDENTIFIER_GROUP && who == fgid)) {
944 if ((access_mask & ACE_READ_DATA) &&
945 (!(seen & S_IRGRP))) {
951 if ((access_mask & ACE_WRITE_DATA) &&
952 (!(seen & S_IWGRP))) {
958 if ((access_mask & ACE_EXECUTE) &&
959 (!(seen & S_IXGRP))) {
965 } else if (entry_type == ACE_EVERYONE) {
966 if ((access_mask & ACE_READ_DATA)) {
967 if (!(seen & S_IRUSR)) {
973 if (!(seen & S_IRGRP)) {
979 if (!(seen & S_IROTH)) {
986 if ((access_mask & ACE_WRITE_DATA)) {
987 if (!(seen & S_IWUSR)) {
993 if (!(seen & S_IWGRP)) {
999 if (!(seen & S_IWOTH)) {
1001 if (type == ALLOW) {
1006 if ((access_mask & ACE_EXECUTE)) {
1007 if (!(seen & S_IXUSR)) {
1009 if (type == ALLOW) {
1013 if (!(seen & S_IXGRP)) {
1015 if (type == ALLOW) {
1019 if (!(seen & S_IXOTH)) {
1021 if (type == ALLOW) {
1028 * Only care if this IDENTIFIER_GROUP or
1029 * USER ACE denies execute access to someone,
1030 * mode is not affected
1032 if ((access_mask & ACE_EXECUTE) && type == DENY)
1033 an_exec_denied = B_TRUE;
1038 * Failure to allow is effectively a deny, so execute permission
1039 * is denied if it was never mentioned or if we explicitly
1040 * weren't allowed it.
1042 if (!an_exec_denied &&
1043 ((seen & ALL_MODE_EXECS) != ALL_MODE_EXECS ||
1044 (mode & ALL_MODE_EXECS) != ALL_MODE_EXECS))
1045 an_exec_denied = B_TRUE;
1048 *pflags &= ~ZFS_NO_EXECS_DENIED;
1050 *pflags |= ZFS_NO_EXECS_DENIED;
1056 * Read an external acl object. If the intent is to modify, always
1057 * create a new acl and leave any cached acl in place.
1060 zfs_acl_node_read(znode_t *zp, boolean_t have_lock, zfs_acl_t **aclpp,
1061 boolean_t will_modify)
1066 zfs_acl_node_t *aclnode;
1067 zfs_acl_phys_t znode_acl;
1070 boolean_t drop_lock = B_FALSE;
1072 ASSERT(MUTEX_HELD(&zp->z_acl_lock));
1074 if (zp->z_acl_cached && !will_modify) {
1075 *aclpp = zp->z_acl_cached;
1080 * close race where znode could be upgrade while trying to
1081 * read the znode attributes.
1083 * But this could only happen if the file isn't already an SA
1086 if (!zp->z_is_sa && !have_lock) {
1087 mutex_enter(&zp->z_lock);
1090 version = zfs_znode_acl_version(zp);
1092 if ((error = zfs_acl_znode_info(zp, &aclsize,
1093 &acl_count, &znode_acl)) != 0) {
1097 aclp = zfs_acl_alloc(version);
1099 aclp->z_acl_count = acl_count;
1100 aclp->z_acl_bytes = aclsize;
1102 aclnode = zfs_acl_node_alloc(aclsize);
1103 aclnode->z_ace_count = aclp->z_acl_count;
1104 aclnode->z_size = aclsize;
1107 if (znode_acl.z_acl_extern_obj) {
1108 error = dmu_read(zp->z_zfsvfs->z_os,
1109 znode_acl.z_acl_extern_obj, 0, aclnode->z_size,
1110 aclnode->z_acldata, DMU_READ_PREFETCH);
1112 bcopy(znode_acl.z_ace_data, aclnode->z_acldata,
1116 error = sa_lookup(zp->z_sa_hdl, SA_ZPL_DACL_ACES(zp->z_zfsvfs),
1117 aclnode->z_acldata, aclnode->z_size);
1122 zfs_acl_node_free(aclnode);
1123 /* convert checksum errors into IO errors */
1124 if (error == ECKSUM)
1129 list_insert_head(&aclp->z_acl, aclnode);
1133 zp->z_acl_cached = aclp;
1136 mutex_exit(&zp->z_lock);
1142 zfs_acl_data_locator(void **dataptr, uint32_t *length, uint32_t buflen,
1143 boolean_t start, void *userdata)
1145 zfs_acl_locator_cb_t *cb = (zfs_acl_locator_cb_t *)userdata;
1148 cb->cb_acl_node = list_head(&cb->cb_aclp->z_acl);
1150 cb->cb_acl_node = list_next(&cb->cb_aclp->z_acl,
1153 *dataptr = cb->cb_acl_node->z_acldata;
1154 *length = cb->cb_acl_node->z_size;
1158 zfs_acl_chown_setattr(znode_t *zp)
1163 ASSERT(MUTEX_HELD(&zp->z_lock));
1164 ASSERT(MUTEX_HELD(&zp->z_acl_lock));
1166 if ((error = zfs_acl_node_read(zp, B_TRUE, &aclp, B_FALSE)) == 0)
1167 zp->z_mode = zfs_mode_compute(zp->z_mode, aclp,
1168 &zp->z_pflags, zp->z_uid, zp->z_gid);
1173 * common code for setting ACLs.
1175 * This function is called from zfs_mode_update, zfs_perm_init, and zfs_setacl.
1176 * zfs_setacl passes a non-NULL inherit pointer (ihp) to indicate that it's
1177 * already checked the acl and knows whether to inherit.
1180 zfs_aclset_common(znode_t *zp, zfs_acl_t *aclp, cred_t *cr, dmu_tx_t *tx)
1183 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
1184 dmu_object_type_t otype;
1185 zfs_acl_locator_cb_t locate = { 0 };
1187 sa_bulk_attr_t bulk[5];
1193 mode = zfs_mode_compute(mode, aclp, &zp->z_pflags,
1194 zp->z_uid, zp->z_gid);
1197 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_MODE(zfsvfs), NULL,
1198 &mode, sizeof (mode));
1199 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_FLAGS(zfsvfs), NULL,
1200 &zp->z_pflags, sizeof (zp->z_pflags));
1201 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_CTIME(zfsvfs), NULL,
1202 &ctime, sizeof (ctime));
1204 if (zp->z_acl_cached) {
1205 zfs_acl_free(zp->z_acl_cached);
1206 zp->z_acl_cached = NULL;
1212 if (!zfsvfs->z_use_fuids) {
1213 otype = DMU_OT_OLDACL;
1215 if ((aclp->z_version == ZFS_ACL_VERSION_INITIAL) &&
1216 (zfsvfs->z_version >= ZPL_VERSION_FUID))
1217 zfs_acl_xform(zp, aclp, cr);
1218 ASSERT(aclp->z_version >= ZFS_ACL_VERSION_FUID);
1223 * Arrgh, we have to handle old on disk format
1224 * as well as newer (preferred) SA format.
1227 if (zp->z_is_sa) { /* the easy case, just update the ACL attribute */
1228 locate.cb_aclp = aclp;
1229 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_ACES(zfsvfs),
1230 zfs_acl_data_locator, &locate, aclp->z_acl_bytes);
1231 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_DACL_COUNT(zfsvfs),
1232 NULL, &aclp->z_acl_count, sizeof (uint64_t));
1233 } else { /* Painful legacy way */
1234 zfs_acl_node_t *aclnode;
1236 zfs_acl_phys_t acl_phys;
1239 if ((error = sa_lookup(zp->z_sa_hdl, SA_ZPL_ZNODE_ACL(zfsvfs),
1240 &acl_phys, sizeof (acl_phys))) != 0)
1243 aoid = acl_phys.z_acl_extern_obj;
1245 if (aclp->z_acl_bytes > ZFS_ACE_SPACE) {
1247 * If ACL was previously external and we are now
1248 * converting to new ACL format then release old
1249 * ACL object and create a new one.
1252 aclp->z_version != acl_phys.z_acl_version) {
1253 error = dmu_object_free(zfsvfs->z_os, aoid, tx);
1259 aoid = dmu_object_alloc(zfsvfs->z_os,
1260 otype, aclp->z_acl_bytes,
1261 otype == DMU_OT_ACL ?
1262 DMU_OT_SYSACL : DMU_OT_NONE,
1263 otype == DMU_OT_ACL ?
1264 DN_MAX_BONUSLEN : 0, tx);
1266 (void) dmu_object_set_blocksize(zfsvfs->z_os,
1267 aoid, aclp->z_acl_bytes, 0, tx);
1269 acl_phys.z_acl_extern_obj = aoid;
1270 for (aclnode = list_head(&aclp->z_acl); aclnode;
1271 aclnode = list_next(&aclp->z_acl, aclnode)) {
1272 if (aclnode->z_ace_count == 0)
1274 dmu_write(zfsvfs->z_os, aoid, off,
1275 aclnode->z_size, aclnode->z_acldata, tx);
1276 off += aclnode->z_size;
1279 void *start = acl_phys.z_ace_data;
1281 * Migrating back embedded?
1283 if (acl_phys.z_acl_extern_obj) {
1284 error = dmu_object_free(zfsvfs->z_os,
1285 acl_phys.z_acl_extern_obj, tx);
1288 acl_phys.z_acl_extern_obj = 0;
1291 for (aclnode = list_head(&aclp->z_acl); aclnode;
1292 aclnode = list_next(&aclp->z_acl, aclnode)) {
1293 if (aclnode->z_ace_count == 0)
1295 bcopy(aclnode->z_acldata, start,
1297 start = (caddr_t)start + aclnode->z_size;
1301 * If Old version then swap count/bytes to match old
1302 * layout of znode_acl_phys_t.
1304 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) {
1305 acl_phys.z_acl_size = aclp->z_acl_count;
1306 acl_phys.z_acl_count = aclp->z_acl_bytes;
1308 acl_phys.z_acl_size = aclp->z_acl_bytes;
1309 acl_phys.z_acl_count = aclp->z_acl_count;
1311 acl_phys.z_acl_version = aclp->z_version;
1313 SA_ADD_BULK_ATTR(bulk, count, SA_ZPL_ZNODE_ACL(zfsvfs), NULL,
1314 &acl_phys, sizeof (acl_phys));
1318 * Replace ACL wide bits, but first clear them.
1320 zp->z_pflags &= ~ZFS_ACL_WIDE_FLAGS;
1322 zp->z_pflags |= aclp->z_hints;
1324 if (ace_trivial_common(aclp, 0, zfs_ace_walk) == 0)
1325 zp->z_pflags |= ZFS_ACL_TRIVIAL;
1327 zfs_tstamp_update_setup(zp, STATE_CHANGED, NULL, ctime, B_TRUE);
1328 return (sa_bulk_update(zp->z_sa_hdl, bulk, count, tx));
1332 zfs_acl_chmod(vtype_t vtype, uint64_t mode, boolean_t trim, zfs_acl_t *aclp)
1336 int new_count, new_bytes;
1339 uint16_t iflags, type;
1340 uint32_t access_mask;
1341 zfs_acl_node_t *newnode;
1342 size_t abstract_size = aclp->z_ops.ace_abstract_size();
1345 trivial_acl_t masks;
1347 new_count = new_bytes = 0;
1349 isdir = (vtype == VDIR);
1351 acl_trivial_access_masks((mode_t)mode, isdir, &masks);
1353 newnode = zfs_acl_node_alloc((abstract_size * 6) + aclp->z_acl_bytes);
1355 zacep = newnode->z_acldata;
1357 zfs_set_ace(aclp, zacep, masks.allow0, ALLOW, -1, ACE_OWNER);
1358 zacep = (void *)((uintptr_t)zacep + abstract_size);
1360 new_bytes += abstract_size;
1361 } if (masks.deny1) {
1362 zfs_set_ace(aclp, zacep, masks.deny1, DENY, -1, ACE_OWNER);
1363 zacep = (void *)((uintptr_t)zacep + abstract_size);
1365 new_bytes += abstract_size;
1368 zfs_set_ace(aclp, zacep, masks.deny2, DENY, -1, OWNING_GROUP);
1369 zacep = (void *)((uintptr_t)zacep + abstract_size);
1371 new_bytes += abstract_size;
1374 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask,
1376 uint16_t inherit_flags;
1378 entry_type = (iflags & ACE_TYPE_FLAGS);
1379 inherit_flags = (iflags & ALL_INHERIT);
1381 if ((entry_type == ACE_OWNER || entry_type == ACE_EVERYONE ||
1382 (entry_type == OWNING_GROUP)) &&
1383 ((inherit_flags & ACE_INHERIT_ONLY_ACE) == 0)) {
1388 * If this ACL has any inheritable ACEs, mark that in
1389 * the hints (which are later masked into the pflags)
1390 * so create knows to do inheritance.
1392 if (isdir && (inherit_flags &
1393 (ACE_FILE_INHERIT_ACE|ACE_DIRECTORY_INHERIT_ACE)))
1394 aclp->z_hints |= ZFS_INHERIT_ACE;
1396 if ((type != ALLOW && type != DENY) ||
1397 (inherit_flags & ACE_INHERIT_ONLY_ACE)) {
1399 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
1400 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
1401 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
1402 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
1403 aclp->z_hints |= ZFS_ACL_OBJ_ACE;
1409 * Limit permissions to be no greater than
1410 * group permissions.
1411 * The "aclinherit" and "aclmode" properties
1412 * affect policy for create and chmod(2),
1415 if ((type == ALLOW) && trim)
1416 access_mask &= masks.group;
1418 zfs_set_ace(aclp, zacep, access_mask, type, who, iflags);
1419 ace_size = aclp->z_ops.ace_size(acep);
1420 zacep = (void *)((uintptr_t)zacep + ace_size);
1422 new_bytes += ace_size;
1424 zfs_set_ace(aclp, zacep, masks.owner, 0, -1, ACE_OWNER);
1425 zacep = (void *)((uintptr_t)zacep + abstract_size);
1426 zfs_set_ace(aclp, zacep, masks.group, 0, -1, OWNING_GROUP);
1427 zacep = (void *)((uintptr_t)zacep + abstract_size);
1428 zfs_set_ace(aclp, zacep, masks.everyone, 0, -1, ACE_EVERYONE);
1431 new_bytes += abstract_size * 3;
1432 zfs_acl_release_nodes(aclp);
1433 aclp->z_acl_count = new_count;
1434 aclp->z_acl_bytes = new_bytes;
1435 newnode->z_ace_count = new_count;
1436 newnode->z_size = new_bytes;
1437 list_insert_tail(&aclp->z_acl, newnode);
1441 zfs_acl_chmod_setattr(znode_t *zp, zfs_acl_t **aclp, uint64_t mode)
1445 mutex_enter(&zp->z_acl_lock);
1446 mutex_enter(&zp->z_lock);
1447 if (zp->z_zfsvfs->z_acl_mode == ZFS_ACL_DISCARD)
1448 *aclp = zfs_acl_alloc(zfs_acl_version_zp(zp));
1450 error = zfs_acl_node_read(zp, B_TRUE, aclp, B_TRUE);
1453 (*aclp)->z_hints = zp->z_pflags & V4_ACL_WIDE_FLAGS;
1454 zfs_acl_chmod(ZTOV(zp)->v_type, mode,
1455 (zp->z_zfsvfs->z_acl_mode == ZFS_ACL_GROUPMASK), *aclp);
1457 mutex_exit(&zp->z_lock);
1458 mutex_exit(&zp->z_acl_lock);
1464 * strip off write_owner and write_acl
1467 zfs_restricted_update(zfsvfs_t *zfsvfs, zfs_acl_t *aclp, void *acep)
1469 uint32_t mask = aclp->z_ops.ace_mask_get(acep);
1471 if ((zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED) &&
1472 (aclp->z_ops.ace_type_get(acep) == ALLOW)) {
1473 mask &= ~RESTRICTED_CLEAR;
1474 aclp->z_ops.ace_mask_set(acep, mask);
1479 * Should ACE be inherited?
1482 zfs_ace_can_use(vtype_t vtype, uint16_t acep_flags)
1484 int iflags = (acep_flags & 0xf);
1486 if ((vtype == VDIR) && (iflags & ACE_DIRECTORY_INHERIT_ACE))
1488 else if (iflags & ACE_FILE_INHERIT_ACE)
1489 return (!((vtype == VDIR) &&
1490 (iflags & ACE_NO_PROPAGATE_INHERIT_ACE)));
1495 * inherit inheritable ACEs from parent
1498 zfs_acl_inherit(zfsvfs_t *zfsvfs, vtype_t vtype, zfs_acl_t *paclp,
1499 uint64_t mode, boolean_t *need_chmod)
1503 zfs_acl_node_t *aclnode;
1504 zfs_acl_t *aclp = NULL;
1506 uint32_t access_mask;
1507 uint16_t iflags, newflags, type;
1509 void *data1, *data2;
1510 size_t data1sz, data2sz;
1511 boolean_t vdir = vtype == VDIR;
1512 boolean_t vreg = vtype == VREG;
1513 boolean_t passthrough, passthrough_x, noallow;
1516 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH_X;
1517 passthrough = passthrough_x ||
1518 zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH;
1520 zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW;
1522 *need_chmod = B_TRUE;
1524 aclp = zfs_acl_alloc(paclp->z_version);
1525 if (zfsvfs->z_acl_inherit == ZFS_ACL_DISCARD || vtype == VLNK)
1527 while (pacep = zfs_acl_next_ace(paclp, pacep, &who,
1528 &access_mask, &iflags, &type)) {
1531 * don't inherit bogus ACEs
1533 if (!zfs_acl_valid_ace_type(type, iflags))
1536 if (noallow && type == ALLOW)
1539 ace_size = aclp->z_ops.ace_size(pacep);
1541 if (!zfs_ace_can_use(vtype, iflags))
1545 * If owner@, group@, or everyone@ inheritable
1546 * then zfs_acl_chmod() isn't needed.
1549 ((iflags & (ACE_OWNER|ACE_EVERYONE)) ||
1550 ((iflags & OWNING_GROUP) ==
1551 OWNING_GROUP)) && (vreg || (vdir && (iflags &
1552 ACE_DIRECTORY_INHERIT_ACE)))) {
1553 *need_chmod = B_FALSE;
1556 if (!vdir && passthrough_x &&
1557 ((mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)) {
1558 access_mask &= ~ACE_EXECUTE;
1561 aclnode = zfs_acl_node_alloc(ace_size);
1562 list_insert_tail(&aclp->z_acl, aclnode);
1563 acep = aclnode->z_acldata;
1565 zfs_set_ace(aclp, acep, access_mask, type,
1566 who, iflags|ACE_INHERITED_ACE);
1569 * Copy special opaque data if any
1571 if ((data1sz = paclp->z_ops.ace_data(pacep, &data1)) != 0) {
1572 VERIFY((data2sz = aclp->z_ops.ace_data(acep,
1573 &data2)) == data1sz);
1574 bcopy(data1, data2, data2sz);
1577 aclp->z_acl_count++;
1578 aclnode->z_ace_count++;
1579 aclp->z_acl_bytes += aclnode->z_size;
1580 newflags = aclp->z_ops.ace_flags_get(acep);
1583 aclp->z_hints |= ZFS_INHERIT_ACE;
1585 if ((iflags & ACE_NO_PROPAGATE_INHERIT_ACE) || !vdir) {
1586 newflags &= ~ALL_INHERIT;
1587 aclp->z_ops.ace_flags_set(acep,
1588 newflags|ACE_INHERITED_ACE);
1589 zfs_restricted_update(zfsvfs, aclp, acep);
1596 * If only FILE_INHERIT is set then turn on
1599 if ((iflags & (ACE_FILE_INHERIT_ACE |
1600 ACE_DIRECTORY_INHERIT_ACE)) == ACE_FILE_INHERIT_ACE) {
1601 newflags |= ACE_INHERIT_ONLY_ACE;
1602 aclp->z_ops.ace_flags_set(acep,
1603 newflags|ACE_INHERITED_ACE);
1605 newflags &= ~ACE_INHERIT_ONLY_ACE;
1606 aclp->z_ops.ace_flags_set(acep,
1607 newflags|ACE_INHERITED_ACE);
1614 * Create file system object initial permissions
1615 * including inheritable ACEs.
1618 zfs_acl_ids_create(znode_t *dzp, int flag, vattr_t *vap, cred_t *cr,
1619 vsecattr_t *vsecp, zfs_acl_ids_t *acl_ids)
1622 zfsvfs_t *zfsvfs = dzp->z_zfsvfs;
1625 boolean_t need_chmod = B_TRUE;
1626 boolean_t inherited = B_FALSE;
1628 bzero(acl_ids, sizeof (zfs_acl_ids_t));
1629 acl_ids->z_mode = MAKEIMODE(vap->va_type, vap->va_mode);
1632 if ((error = zfs_vsec_2_aclp(zfsvfs, vap->va_type, vsecp, cr,
1633 &acl_ids->z_fuidp, &acl_ids->z_aclp)) != 0)
1636 * Determine uid and gid.
1638 if ((flag & IS_ROOT_NODE) || zfsvfs->z_replay ||
1639 ((flag & IS_XATTR) && (vap->va_type == VDIR))) {
1640 acl_ids->z_fuid = zfs_fuid_create(zfsvfs,
1641 (uint64_t)vap->va_uid, cr,
1642 ZFS_OWNER, &acl_ids->z_fuidp);
1643 acl_ids->z_fgid = zfs_fuid_create(zfsvfs,
1644 (uint64_t)vap->va_gid, cr,
1645 ZFS_GROUP, &acl_ids->z_fuidp);
1648 acl_ids->z_fuid = zfs_fuid_create_cred(zfsvfs, ZFS_OWNER,
1649 cr, &acl_ids->z_fuidp);
1650 acl_ids->z_fgid = 0;
1651 if (vap->va_mask & AT_GID) {
1652 acl_ids->z_fgid = zfs_fuid_create(zfsvfs,
1653 (uint64_t)vap->va_gid,
1654 cr, ZFS_GROUP, &acl_ids->z_fuidp);
1656 if (acl_ids->z_fgid != dzp->z_gid &&
1657 !groupmember(vap->va_gid, cr) &&
1658 secpolicy_vnode_create_gid(cr) != 0)
1659 acl_ids->z_fgid = 0;
1661 if (acl_ids->z_fgid == 0) {
1662 if (dzp->z_mode & S_ISGID) {
1666 acl_ids->z_fgid = dzp->z_gid;
1667 gid = zfs_fuid_map_id(zfsvfs, acl_ids->z_fgid,
1670 if (zfsvfs->z_use_fuids &&
1671 IS_EPHEMERAL(acl_ids->z_fgid)) {
1672 domain = zfs_fuid_idx_domain(
1673 &zfsvfs->z_fuid_idx,
1674 FUID_INDEX(acl_ids->z_fgid));
1675 rid = FUID_RID(acl_ids->z_fgid);
1676 zfs_fuid_node_add(&acl_ids->z_fuidp,
1678 FUID_INDEX(acl_ids->z_fgid),
1679 acl_ids->z_fgid, ZFS_GROUP);
1682 acl_ids->z_fgid = zfs_fuid_create_cred(zfsvfs,
1683 ZFS_GROUP, cr, &acl_ids->z_fuidp);
1685 gid = acl_ids->z_fgid = dzp->z_gid;
1694 * If we're creating a directory, and the parent directory has the
1695 * set-GID bit set, set in on the new directory.
1696 * Otherwise, if the user is neither privileged nor a member of the
1697 * file's new group, clear the file's set-GID bit.
1700 if (!(flag & IS_ROOT_NODE) && (dzp->z_mode & S_ISGID) &&
1701 (vap->va_type == VDIR)) {
1702 acl_ids->z_mode |= S_ISGID;
1704 if ((acl_ids->z_mode & S_ISGID) &&
1705 secpolicy_vnode_setids_setgids(ZTOV(dzp), cr, gid) != 0)
1706 acl_ids->z_mode &= ~S_ISGID;
1709 if (acl_ids->z_aclp == NULL) {
1710 mutex_enter(&dzp->z_acl_lock);
1711 mutex_enter(&dzp->z_lock);
1712 if (!(flag & IS_ROOT_NODE) &&
1713 (dzp->z_pflags & ZFS_INHERIT_ACE) &&
1714 !(dzp->z_pflags & ZFS_XATTR)) {
1715 VERIFY(0 == zfs_acl_node_read(dzp, B_TRUE,
1717 acl_ids->z_aclp = zfs_acl_inherit(zfsvfs,
1718 vap->va_type, paclp, acl_ids->z_mode, &need_chmod);
1722 zfs_acl_alloc(zfs_acl_version_zp(dzp));
1723 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL;
1725 mutex_exit(&dzp->z_lock);
1726 mutex_exit(&dzp->z_acl_lock);
1728 acl_ids->z_aclp->z_hints |= (vap->va_type == VDIR) ?
1729 ZFS_ACL_AUTO_INHERIT : 0;
1730 zfs_acl_chmod(vap->va_type, acl_ids->z_mode,
1731 (zfsvfs->z_acl_inherit == ZFS_ACL_RESTRICTED),
1736 if (inherited || vsecp) {
1737 acl_ids->z_mode = zfs_mode_compute(acl_ids->z_mode,
1738 acl_ids->z_aclp, &acl_ids->z_aclp->z_hints,
1739 acl_ids->z_fuid, acl_ids->z_fgid);
1740 if (ace_trivial_common(acl_ids->z_aclp, 0, zfs_ace_walk) == 0)
1741 acl_ids->z_aclp->z_hints |= ZFS_ACL_TRIVIAL;
1748 * Free ACL and fuid_infop, but not the acl_ids structure
1751 zfs_acl_ids_free(zfs_acl_ids_t *acl_ids)
1753 if (acl_ids->z_aclp)
1754 zfs_acl_free(acl_ids->z_aclp);
1755 if (acl_ids->z_fuidp)
1756 zfs_fuid_info_free(acl_ids->z_fuidp);
1757 acl_ids->z_aclp = NULL;
1758 acl_ids->z_fuidp = NULL;
1762 zfs_acl_ids_overquota(zfsvfs_t *zfsvfs, zfs_acl_ids_t *acl_ids)
1764 return (zfs_fuid_overquota(zfsvfs, B_FALSE, acl_ids->z_fuid) ||
1765 zfs_fuid_overquota(zfsvfs, B_TRUE, acl_ids->z_fgid));
1769 * Retrieve a files ACL
1772 zfs_getacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr)
1780 mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT |
1781 VSA_ACE_ACLFLAGS | VSA_ACE_ALLTYPES);
1786 if (error = zfs_zaccess(zp, ACE_READ_ACL, 0, skipaclchk, cr))
1789 mutex_enter(&zp->z_acl_lock);
1791 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE);
1793 mutex_exit(&zp->z_acl_lock);
1798 * Scan ACL to determine number of ACEs
1800 if ((zp->z_pflags & ZFS_ACL_OBJ_ACE) && !(mask & VSA_ACE_ALLTYPES)) {
1803 uint32_t access_mask;
1804 uint16_t type, iflags;
1806 while (zacep = zfs_acl_next_ace(aclp, zacep,
1807 &who, &access_mask, &iflags, &type)) {
1809 case ACE_ACCESS_ALLOWED_OBJECT_ACE_TYPE:
1810 case ACE_ACCESS_DENIED_OBJECT_ACE_TYPE:
1811 case ACE_SYSTEM_AUDIT_OBJECT_ACE_TYPE:
1812 case ACE_SYSTEM_ALARM_OBJECT_ACE_TYPE:
1819 vsecp->vsa_aclcnt = count;
1821 count = (int)aclp->z_acl_count;
1823 if (mask & VSA_ACECNT) {
1824 vsecp->vsa_aclcnt = count;
1827 if (mask & VSA_ACE) {
1830 aclsz = count * sizeof (ace_t) +
1831 sizeof (ace_object_t) * largeace;
1833 vsecp->vsa_aclentp = kmem_alloc(aclsz, KM_SLEEP);
1834 vsecp->vsa_aclentsz = aclsz;
1836 if (aclp->z_version == ZFS_ACL_VERSION_FUID)
1837 zfs_copy_fuid_2_ace(zp->z_zfsvfs, aclp, cr,
1838 vsecp->vsa_aclentp, !(mask & VSA_ACE_ALLTYPES));
1840 zfs_acl_node_t *aclnode;
1841 void *start = vsecp->vsa_aclentp;
1843 for (aclnode = list_head(&aclp->z_acl); aclnode;
1844 aclnode = list_next(&aclp->z_acl, aclnode)) {
1845 bcopy(aclnode->z_acldata, start,
1847 start = (caddr_t)start + aclnode->z_size;
1849 ASSERT((caddr_t)start - (caddr_t)vsecp->vsa_aclentp ==
1853 if (mask & VSA_ACE_ACLFLAGS) {
1854 vsecp->vsa_aclflags = 0;
1855 if (zp->z_pflags & ZFS_ACL_DEFAULTED)
1856 vsecp->vsa_aclflags |= ACL_DEFAULTED;
1857 if (zp->z_pflags & ZFS_ACL_PROTECTED)
1858 vsecp->vsa_aclflags |= ACL_PROTECTED;
1859 if (zp->z_pflags & ZFS_ACL_AUTO_INHERIT)
1860 vsecp->vsa_aclflags |= ACL_AUTO_INHERIT;
1863 mutex_exit(&zp->z_acl_lock);
1869 zfs_vsec_2_aclp(zfsvfs_t *zfsvfs, vtype_t obj_type,
1870 vsecattr_t *vsecp, cred_t *cr, zfs_fuid_info_t **fuidp, zfs_acl_t **zaclp)
1873 zfs_acl_node_t *aclnode;
1874 int aclcnt = vsecp->vsa_aclcnt;
1877 if (vsecp->vsa_aclcnt > MAX_ACL_ENTRIES || vsecp->vsa_aclcnt <= 0)
1880 aclp = zfs_acl_alloc(zfs_acl_version(zfsvfs->z_version));
1883 aclnode = zfs_acl_node_alloc(aclcnt * sizeof (zfs_object_ace_t));
1884 if (aclp->z_version == ZFS_ACL_VERSION_INITIAL) {
1885 if ((error = zfs_copy_ace_2_oldace(obj_type, aclp,
1886 (ace_t *)vsecp->vsa_aclentp, aclnode->z_acldata,
1887 aclcnt, &aclnode->z_size)) != 0) {
1889 zfs_acl_node_free(aclnode);
1893 if ((error = zfs_copy_ace_2_fuid(zfsvfs, obj_type, aclp,
1894 vsecp->vsa_aclentp, aclnode->z_acldata, aclcnt,
1895 &aclnode->z_size, fuidp, cr)) != 0) {
1897 zfs_acl_node_free(aclnode);
1901 aclp->z_acl_bytes = aclnode->z_size;
1902 aclnode->z_ace_count = aclcnt;
1903 aclp->z_acl_count = aclcnt;
1904 list_insert_head(&aclp->z_acl, aclnode);
1907 * If flags are being set then add them to z_hints
1909 if (vsecp->vsa_mask & VSA_ACE_ACLFLAGS) {
1910 if (vsecp->vsa_aclflags & ACL_PROTECTED)
1911 aclp->z_hints |= ZFS_ACL_PROTECTED;
1912 if (vsecp->vsa_aclflags & ACL_DEFAULTED)
1913 aclp->z_hints |= ZFS_ACL_DEFAULTED;
1914 if (vsecp->vsa_aclflags & ACL_AUTO_INHERIT)
1915 aclp->z_hints |= ZFS_ACL_AUTO_INHERIT;
1927 zfs_setacl(znode_t *zp, vsecattr_t *vsecp, boolean_t skipaclchk, cred_t *cr)
1929 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
1930 zilog_t *zilog = zfsvfs->z_log;
1931 ulong_t mask = vsecp->vsa_mask & (VSA_ACE | VSA_ACECNT);
1935 zfs_fuid_info_t *fuidp = NULL;
1936 boolean_t fuid_dirtied;
1942 if (zp->z_pflags & ZFS_IMMUTABLE)
1945 if (error = zfs_zaccess(zp, ACE_WRITE_ACL, 0, skipaclchk, cr))
1948 error = zfs_vsec_2_aclp(zfsvfs, ZTOV(zp)->v_type, vsecp, cr, &fuidp,
1954 * If ACL wide flags aren't being set then preserve any
1957 if (!(vsecp->vsa_mask & VSA_ACE_ACLFLAGS)) {
1959 (zp->z_pflags & V4_ACL_WIDE_FLAGS);
1962 mutex_enter(&zp->z_acl_lock);
1963 mutex_enter(&zp->z_lock);
1965 tx = dmu_tx_create(zfsvfs->z_os);
1967 dmu_tx_hold_sa(tx, zp->z_sa_hdl, B_TRUE);
1969 fuid_dirtied = zfsvfs->z_fuid_dirty;
1971 zfs_fuid_txhold(zfsvfs, tx);
1974 * If old version and ACL won't fit in bonus and we aren't
1975 * upgrading then take out necessary DMU holds
1978 if ((acl_obj = zfs_external_acl(zp)) != 0) {
1979 if (zfsvfs->z_version >= ZPL_VERSION_FUID &&
1980 zfs_znode_acl_version(zp) <= ZFS_ACL_VERSION_INITIAL) {
1981 dmu_tx_hold_free(tx, acl_obj, 0,
1983 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0,
1986 dmu_tx_hold_write(tx, acl_obj, 0, aclp->z_acl_bytes);
1988 } else if (!zp->z_is_sa && aclp->z_acl_bytes > ZFS_ACE_SPACE) {
1989 dmu_tx_hold_write(tx, DMU_NEW_OBJECT, 0, aclp->z_acl_bytes);
1992 zfs_sa_upgrade_txholds(tx, zp);
1993 error = dmu_tx_assign(tx, TXG_NOWAIT);
1995 mutex_exit(&zp->z_acl_lock);
1996 mutex_exit(&zp->z_lock);
1998 if (error == ERESTART) {
2008 error = zfs_aclset_common(zp, aclp, cr, tx);
2010 ASSERT(zp->z_acl_cached == NULL);
2011 zp->z_acl_cached = aclp;
2014 zfs_fuid_sync(zfsvfs, tx);
2016 zfs_log_acl(zilog, tx, zp, vsecp, fuidp);
2019 zfs_fuid_info_free(fuidp);
2022 mutex_exit(&zp->z_lock);
2023 mutex_exit(&zp->z_acl_lock);
2029 * Check accesses of interest (AoI) against attributes of the dataset
2030 * such as read-only. Returns zero if no AoI conflict with dataset
2031 * attributes, otherwise an appropriate errno is returned.
2034 zfs_zaccess_dataset_check(znode_t *zp, uint32_t v4_mode)
2036 if ((v4_mode & WRITE_MASK) &&
2037 (zp->z_zfsvfs->z_vfs->vfs_flag & VFS_RDONLY) &&
2038 (!IS_DEVVP(ZTOV(zp)) ||
2039 (IS_DEVVP(ZTOV(zp)) && (v4_mode & WRITE_MASK_ATTRS)))) {
2044 * Only check for READONLY on non-directories.
2046 if ((v4_mode & WRITE_MASK_DATA) &&
2047 (((ZTOV(zp)->v_type != VDIR) &&
2048 (zp->z_pflags & (ZFS_READONLY | ZFS_IMMUTABLE))) ||
2049 (ZTOV(zp)->v_type == VDIR &&
2050 (zp->z_pflags & ZFS_IMMUTABLE)))) {
2055 if ((v4_mode & (ACE_DELETE | ACE_DELETE_CHILD)) &&
2056 (zp->z_pflags & ZFS_NOUNLINK)) {
2061 * In FreeBSD we allow to modify directory's content is ZFS_NOUNLINK
2062 * (sunlnk) is set. We just don't allow directory removal, which is
2063 * handled in zfs_zaccess_delete().
2065 if ((v4_mode & ACE_DELETE) &&
2066 (zp->z_pflags & ZFS_NOUNLINK)) {
2071 if (((v4_mode & (ACE_READ_DATA|ACE_EXECUTE)) &&
2072 (zp->z_pflags & ZFS_AV_QUARANTINED))) {
2080 * The primary usage of this function is to loop through all of the
2081 * ACEs in the znode, determining what accesses of interest (AoI) to
2082 * the caller are allowed or denied. The AoI are expressed as bits in
2083 * the working_mode parameter. As each ACE is processed, bits covered
2084 * by that ACE are removed from the working_mode. This removal
2085 * facilitates two things. The first is that when the working mode is
2086 * empty (= 0), we know we've looked at all the AoI. The second is
2087 * that the ACE interpretation rules don't allow a later ACE to undo
2088 * something granted or denied by an earlier ACE. Removing the
2089 * discovered access or denial enforces this rule. At the end of
2090 * processing the ACEs, all AoI that were found to be denied are
2091 * placed into the working_mode, giving the caller a mask of denied
2092 * accesses. Returns:
2093 * 0 if all AoI granted
2094 * EACCESS if the denied mask is non-zero
2095 * other error if abnormal failure (e.g., IO error)
2097 * A secondary usage of the function is to determine if any of the
2098 * AoI are granted. If an ACE grants any access in
2099 * the working_mode, we immediately short circuit out of the function.
2100 * This mode is chosen by setting anyaccess to B_TRUE. The
2101 * working_mode is not a denied access mask upon exit if the function
2102 * is used in this manner.
2105 zfs_zaccess_aces_check(znode_t *zp, uint32_t *working_mode,
2106 boolean_t anyaccess, cred_t *cr)
2108 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
2111 uid_t uid = crgetuid(cr);
2113 uint16_t type, iflags;
2114 uint16_t entry_type;
2115 uint32_t access_mask;
2116 uint32_t deny_mask = 0;
2117 zfs_ace_hdr_t *acep = NULL;
2122 zfs_fuid_map_ids(zp, cr, &fowner, &gowner);
2124 mutex_enter(&zp->z_acl_lock);
2126 error = zfs_acl_node_read(zp, B_FALSE, &aclp, B_FALSE);
2128 mutex_exit(&zp->z_acl_lock);
2132 ASSERT(zp->z_acl_cached);
2134 while (acep = zfs_acl_next_ace(aclp, acep, &who, &access_mask,
2136 uint32_t mask_matched;
2138 if (!zfs_acl_valid_ace_type(type, iflags))
2141 if (ZTOV(zp)->v_type == VDIR && (iflags & ACE_INHERIT_ONLY_ACE))
2144 /* Skip ACE if it does not affect any AoI */
2145 mask_matched = (access_mask & *working_mode);
2149 entry_type = (iflags & ACE_TYPE_FLAGS);
2153 switch (entry_type) {
2161 case ACE_IDENTIFIER_GROUP:
2162 checkit = zfs_groupmember(zfsvfs, who, cr);
2170 if (entry_type == 0) {
2173 newid = zfs_fuid_map_id(zfsvfs, who, cr,
2175 if (newid != IDMAP_WK_CREATOR_OWNER_UID &&
2180 mutex_exit(&zp->z_acl_lock);
2187 DTRACE_PROBE3(zfs__ace__denies,
2189 zfs_ace_hdr_t *, acep,
2190 uint32_t, mask_matched);
2191 deny_mask |= mask_matched;
2193 DTRACE_PROBE3(zfs__ace__allows,
2195 zfs_ace_hdr_t *, acep,
2196 uint32_t, mask_matched);
2198 mutex_exit(&zp->z_acl_lock);
2202 *working_mode &= ~mask_matched;
2206 if (*working_mode == 0)
2210 mutex_exit(&zp->z_acl_lock);
2212 /* Put the found 'denies' back on the working mode */
2214 *working_mode |= deny_mask;
2216 } else if (*working_mode) {
2224 * Return true if any access whatsoever granted, we don't actually
2225 * care what access is granted.
2228 zfs_has_access(znode_t *zp, cred_t *cr)
2230 uint32_t have = ACE_ALL_PERMS;
2232 if (zfs_zaccess_aces_check(zp, &have, B_TRUE, cr) != 0) {
2235 owner = zfs_fuid_map_id(zp->z_zfsvfs, zp->z_uid, cr, ZFS_OWNER);
2236 return (secpolicy_vnode_any_access(cr, ZTOV(zp), owner) == 0);
2242 zfs_zaccess_common(znode_t *zp, uint32_t v4_mode, uint32_t *working_mode,
2243 boolean_t *check_privs, boolean_t skipaclchk, cred_t *cr)
2245 zfsvfs_t *zfsvfs = zp->z_zfsvfs;
2248 *working_mode = v4_mode;
2249 *check_privs = B_TRUE;
2252 * Short circuit empty requests
2254 if (v4_mode == 0 || zfsvfs->z_replay) {
2259 if ((err = zfs_zaccess_dataset_check(zp, v4_mode)) != 0) {
2260 *check_privs = B_FALSE;
2265 * The caller requested that the ACL check be skipped. This
2266 * would only happen if the caller checked VOP_ACCESS() with a
2267 * 32 bit ACE mask and already had the appropriate permissions.
2274 return (zfs_zaccess_aces_check(zp, working_mode, B_FALSE, cr));
2278 zfs_zaccess_append(znode_t *zp, uint32_t *working_mode, boolean_t *check_privs,
2281 if (*working_mode != ACE_WRITE_DATA)
2284 return (zfs_zaccess_common(zp, ACE_APPEND_DATA, working_mode,
2285 check_privs, B_FALSE, cr));
2289 zfs_fastaccesschk_execute(znode_t *zdp, cred_t *cr)
2291 boolean_t owner = B_FALSE;
2292 boolean_t groupmbr = B_FALSE;
2294 uid_t uid = crgetuid(cr);
2297 if (zdp->z_pflags & ZFS_AV_QUARANTINED)
2300 is_attr = ((zdp->z_pflags & ZFS_XATTR) &&
2301 (ZTOV(zdp)->v_type == VDIR));
2306 mutex_enter(&zdp->z_acl_lock);
2308 if (zdp->z_pflags & ZFS_NO_EXECS_DENIED) {
2309 mutex_exit(&zdp->z_acl_lock);
2313 if (FUID_INDEX(zdp->z_uid) != 0 || FUID_INDEX(zdp->z_gid) != 0) {
2314 mutex_exit(&zdp->z_acl_lock);
2318 if (uid == zdp->z_uid) {
2320 if (zdp->z_mode & S_IXUSR) {
2321 mutex_exit(&zdp->z_acl_lock);
2324 mutex_exit(&zdp->z_acl_lock);
2328 if (groupmember(zdp->z_gid, cr)) {
2330 if (zdp->z_mode & S_IXGRP) {
2331 mutex_exit(&zdp->z_acl_lock);
2334 mutex_exit(&zdp->z_acl_lock);
2338 if (!owner && !groupmbr) {
2339 if (zdp->z_mode & S_IXOTH) {
2340 mutex_exit(&zdp->z_acl_lock);
2345 mutex_exit(&zdp->z_acl_lock);
2348 DTRACE_PROBE(zfs__fastpath__execute__access__miss);
2349 ZFS_ENTER(zdp->z_zfsvfs);
2350 error = zfs_zaccess(zdp, ACE_EXECUTE, 0, B_FALSE, cr);
2351 ZFS_EXIT(zdp->z_zfsvfs);
2356 * Determine whether Access should be granted/denied.
2357 * The least priv subsytem is always consulted as a basic privilege
2358 * can define any form of access.
2361 zfs_zaccess(znode_t *zp, int mode, int flags, boolean_t skipaclchk, cred_t *cr)
2363 uint32_t working_mode;
2366 boolean_t check_privs;
2368 znode_t *check_zp = zp;
2372 is_attr = ((zp->z_pflags & ZFS_XATTR) && (ZTOV(zp)->v_type == VDIR));
2376 * In FreeBSD, we don't care about permissions of individual ADS.
2377 * Note that not checking them is not just an optimization - without
2378 * this shortcut, EA operations may bogusly fail with EACCES.
2380 if (zp->z_pflags & ZFS_XATTR)
2384 * If attribute then validate against base file
2389 if ((error = sa_lookup(zp->z_sa_hdl,
2390 SA_ZPL_PARENT(zp->z_zfsvfs), &parent,
2391 sizeof (parent))) != 0)
2394 if ((error = zfs_zget(zp->z_zfsvfs,
2395 parent, &xzp)) != 0) {
2402 * fixup mode to map to xattr perms
2405 if (mode & (ACE_WRITE_DATA|ACE_APPEND_DATA)) {
2406 mode &= ~(ACE_WRITE_DATA|ACE_APPEND_DATA);
2407 mode |= ACE_WRITE_NAMED_ATTRS;
2410 if (mode & (ACE_READ_DATA|ACE_EXECUTE)) {
2411 mode &= ~(ACE_READ_DATA|ACE_EXECUTE);
2412 mode |= ACE_READ_NAMED_ATTRS;
2417 owner = zfs_fuid_map_id(zp->z_zfsvfs, zp->z_uid, cr, ZFS_OWNER);
2419 * Map the bits required to the standard vnode flags VREAD|VWRITE|VEXEC
2420 * in needed_bits. Map the bits mapped by working_mode (currently
2421 * missing) in missing_bits.
2422 * Call secpolicy_vnode_access2() with (needed_bits & ~checkmode),
2427 working_mode = mode;
2428 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES)) &&
2429 owner == crgetuid(cr))
2430 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES);
2432 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS|
2433 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE))
2434 needed_bits |= VREAD;
2435 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS|
2436 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE))
2437 needed_bits |= VWRITE;
2438 if (working_mode & ACE_EXECUTE)
2439 needed_bits |= VEXEC;
2441 if ((error = zfs_zaccess_common(check_zp, mode, &working_mode,
2442 &check_privs, skipaclchk, cr)) == 0) {
2445 return (secpolicy_vnode_access2(cr, ZTOV(zp), owner,
2446 needed_bits, needed_bits));
2449 if (error && !check_privs) {
2455 if (error && (flags & V_APPEND)) {
2456 error = zfs_zaccess_append(zp, &working_mode, &check_privs, cr);
2459 if (error && check_privs) {
2460 mode_t checkmode = 0;
2463 * First check for implicit owner permission on
2464 * read_acl/read_attributes
2468 ASSERT(working_mode != 0);
2470 if ((working_mode & (ACE_READ_ACL|ACE_READ_ATTRIBUTES) &&
2471 owner == crgetuid(cr)))
2472 working_mode &= ~(ACE_READ_ACL|ACE_READ_ATTRIBUTES);
2474 if (working_mode & (ACE_READ_DATA|ACE_READ_NAMED_ATTRS|
2475 ACE_READ_ACL|ACE_READ_ATTRIBUTES|ACE_SYNCHRONIZE))
2477 if (working_mode & (ACE_WRITE_DATA|ACE_WRITE_NAMED_ATTRS|
2478 ACE_APPEND_DATA|ACE_WRITE_ATTRIBUTES|ACE_SYNCHRONIZE))
2479 checkmode |= VWRITE;
2480 if (working_mode & ACE_EXECUTE)
2483 error = secpolicy_vnode_access2(cr, ZTOV(check_zp), owner,
2484 needed_bits & ~checkmode, needed_bits);
2486 if (error == 0 && (working_mode & ACE_WRITE_OWNER))
2487 error = secpolicy_vnode_chown(ZTOV(check_zp), cr, owner);
2488 if (error == 0 && (working_mode & ACE_WRITE_ACL))
2489 error = secpolicy_vnode_setdac(ZTOV(check_zp), cr, owner);
2491 if (error == 0 && (working_mode &
2492 (ACE_DELETE|ACE_DELETE_CHILD)))
2493 error = secpolicy_vnode_remove(ZTOV(check_zp), cr);
2495 if (error == 0 && (working_mode & ACE_SYNCHRONIZE)) {
2496 error = secpolicy_vnode_chown(ZTOV(check_zp), cr, owner);
2500 * See if any bits other than those already checked
2501 * for are still present. If so then return EACCES
2503 if (working_mode & ~(ZFS_CHECKED_MASKS)) {
2507 } else if (error == 0) {
2508 error = secpolicy_vnode_access2(cr, ZTOV(zp), owner,
2509 needed_bits, needed_bits);
2520 * Translate traditional unix VREAD/VWRITE/VEXEC mode into
2521 * native ACL format and call zfs_zaccess()
2524 zfs_zaccess_rwx(znode_t *zp, mode_t mode, int flags, cred_t *cr)
2526 return (zfs_zaccess(zp, zfs_unix_to_v4(mode >> 6), flags, B_FALSE, cr));
2530 * Access function for secpolicy_vnode_setattr
2533 zfs_zaccess_unix(znode_t *zp, mode_t mode, cred_t *cr)
2535 int v4_mode = zfs_unix_to_v4(mode >> 6);
2537 return (zfs_zaccess(zp, v4_mode, 0, B_FALSE, cr));
2541 zfs_delete_final_check(znode_t *zp, znode_t *dzp,
2542 mode_t available_perms, cred_t *cr)
2547 downer = zfs_fuid_map_id(dzp->z_zfsvfs, dzp->z_uid, cr, ZFS_OWNER);
2549 error = secpolicy_vnode_access2(cr, ZTOV(dzp),
2550 downer, available_perms, VWRITE|VEXEC);
2553 error = zfs_sticky_remove_access(dzp, zp, cr);
2559 * Determine whether Access should be granted/deny, without
2560 * consulting least priv subsystem.
2563 * The following chart is the recommended NFSv4 enforcement for
2564 * ability to delete an object.
2566 * -------------------------------------------------------
2567 * | Parent Dir | Target Object Permissions |
2569 * -------------------------------------------------------
2570 * | | ACL Allows | ACL Denies| Delete |
2571 * | | Delete | Delete | unspecified|
2572 * -------------------------------------------------------
2573 * | ACL Allows | Permit | Permit | Permit |
2574 * | DELETE_CHILD | |
2575 * -------------------------------------------------------
2576 * | ACL Denies | Permit | Deny | Deny |
2577 * | DELETE_CHILD | | | |
2578 * -------------------------------------------------------
2579 * | ACL specifies | | | |
2580 * | only allow | Permit | Permit | Permit |
2581 * | write and | | | |
2583 * -------------------------------------------------------
2584 * | ACL denies | | | |
2585 * | write and | Permit | Deny | Deny |
2587 * -------------------------------------------------------
2590 * No search privilege, can't even look up file?
2594 zfs_zaccess_delete(znode_t *dzp, znode_t *zp, cred_t *cr)
2596 uint32_t dzp_working_mode = 0;
2597 uint32_t zp_working_mode = 0;
2598 int dzp_error, zp_error;
2599 mode_t available_perms;
2600 boolean_t dzpcheck_privs = B_TRUE;
2601 boolean_t zpcheck_privs = B_TRUE;
2604 * We want specific DELETE permissions to
2605 * take precedence over WRITE/EXECUTE. We don't
2606 * want an ACL such as this to mess us up.
2607 * user:joe:write_data:deny,user:joe:delete:allow
2609 * However, deny permissions may ultimately be overridden
2610 * by secpolicy_vnode_access().
2612 * We will ask for all of the necessary permissions and then
2613 * look at the working modes from the directory and target object
2614 * to determine what was found.
2617 if (zp->z_pflags & (ZFS_IMMUTABLE | ZFS_NOUNLINK))
2622 * If the directory permissions allow the delete, we are done.
2624 if ((dzp_error = zfs_zaccess_common(dzp, ACE_DELETE_CHILD,
2625 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr)) == 0)
2629 * If target object has delete permission then we are done
2631 if ((zp_error = zfs_zaccess_common(zp, ACE_DELETE, &zp_working_mode,
2632 &zpcheck_privs, B_FALSE, cr)) == 0)
2635 ASSERT(dzp_error && zp_error);
2637 if (!dzpcheck_privs)
2645 * If directory returns EACCES then delete_child was denied
2646 * due to deny delete_child. In this case send the request through
2647 * secpolicy_vnode_remove(). We don't use zfs_delete_final_check()
2648 * since that *could* allow the delete based on write/execute permission
2649 * and we want delete permissions to override write/execute.
2652 if (dzp_error == EACCES)
2653 return (secpolicy_vnode_remove(ZTOV(dzp), cr)); /* XXXPJD: s/dzp/zp/ ? */
2657 * only need to see if we have write/execute on directory.
2660 dzp_error = zfs_zaccess_common(dzp, ACE_EXECUTE|ACE_WRITE_DATA,
2661 &dzp_working_mode, &dzpcheck_privs, B_FALSE, cr);
2663 if (dzp_error != 0 && !dzpcheck_privs)
2670 available_perms = (dzp_working_mode & ACE_WRITE_DATA) ? 0 : VWRITE;
2671 available_perms |= (dzp_working_mode & ACE_EXECUTE) ? 0 : VEXEC;
2673 return (zfs_delete_final_check(zp, dzp, available_perms, cr));
2678 zfs_zaccess_rename(znode_t *sdzp, znode_t *szp, znode_t *tdzp,
2679 znode_t *tzp, cred_t *cr)
2684 if (szp->z_pflags & ZFS_AV_QUARANTINED)
2687 add_perm = (ZTOV(szp)->v_type == VDIR) ?
2688 ACE_ADD_SUBDIRECTORY : ACE_ADD_FILE;
2691 * Rename permissions are combination of delete permission +
2692 * add file/subdir permission.
2694 * BSD operating systems also require write permission
2695 * on the directory being moved from one parent directory
2698 if (ZTOV(szp)->v_type == VDIR && ZTOV(sdzp) != ZTOV(tdzp)) {
2699 if (error = zfs_zaccess(szp, ACE_WRITE_DATA, 0, B_FALSE, cr))
2704 * first make sure we do the delete portion.
2706 * If that succeeds then check for add_file/add_subdir permissions
2709 if (error = zfs_zaccess_delete(sdzp, szp, cr))
2713 * If we have a tzp, see if we can delete it?
2716 if (error = zfs_zaccess_delete(tdzp, tzp, cr))
2721 * Now check for add permissions
2723 error = zfs_zaccess(tdzp, add_perm, 0, B_FALSE, cr);
projects / FreeBSD / releng / 9.0.git / blob